It depends on what do you want to use for. If you want to display it, use htmlspecialchars. If you want to use as a database query, you might use mysql_real_escape_string in case of mysql. (or prepared statements)